Security devices can be used to protect a computer network from unauthorized, malicious or disruptive users. Examples of security devices include firewalls, Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), Unified Threat Management (UTM) systems, and the like.
Some security devices are flow-based (also known as stateful security devices). Flow-based security devices typically store information regarding flows associated with received packets. Flow-based security devices can perform security processing (for example, determining whether to drop a packet or allow it to pass) using the stored information regarding flows. Typically, a flow-based security device stores information regarding flows in a flow table (also known as a session table or a state table).
Flow-based security devices are capable of tracking a limited number of flows. The number of flows is limited by, for example, the amount of memory available to a flow table, the processing power of the security device (for instance, a Central Processing Unit (CPU) speed), and the like. Flow-based security devices are not capable of handling new flows when their flow tables are saturated (when they lack capacity to store information on additional flows). Consequently, a flow-based security device will cause a denial of service (DoS) to resources protected by the flow-based security device when its flow table is saturated.
Attackers can attempt DoS attacks on flow-based security devices by attempting to saturate the flow table. For example, attackers can send a large number of illegitimate packets, sometimes referred to as a flood. A flow-based security device will attempt to store flow information for all of the packets in the flood, and consequently, the flow table will become saturated if it does not have sufficient capacity. Examples of flood attacks include Transmission Control Protocol (TCP) SYN floods, User Datagram Protocol (UDP) floods, and Internet Control Message Protocol (ICMP) floods.